Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MessageSource::getMessageFilePath() - filename injection #18913

Merged
merged 12 commits into from
Sep 30, 2021
1 change: 1 addition & 0 deletions framework/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Yii Framework 2 Change Log
- Enh #18899: Replace usages of `strpos` with `strncmp` and remove redundant usage of `array_merge` and `array_values` (AlexGx)
- Bug #18898: Fix `yii\helpers\Inflector::camel2words()` to work with words ending with 0 (michaelarnauts)
- Enh #18904: Improve Captcha client-side validation (hexkir)
- Bug #18913: Fix filename injection for `MessageSource::getMessageFilePath()` (uaoleg)


2.0.43 August 09, 2021
Expand Down
4 changes: 4 additions & 0 deletions framework/i18n/GettextMessageSource.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
namespace yii\i18n;

use Yii;
use yii\base\InvalidArgumentException;

/**
* GettextMessageSource represents a message source that is based on GNU Gettext.
Expand Down Expand Up @@ -129,6 +130,9 @@ protected function loadFallbackMessages($category, $fallbackLanguage, $messages,
*/
protected function getMessageFilePath($language)
{
if (!empty($language) && !preg_match('/^[a-z_-]+$/i', $language)) {
samdark marked this conversation as resolved.
Show resolved Hide resolved
throw new InvalidArgumentException(sprintf('Invalid language code: "%s".', $language));
}
$messageFile = Yii::getAlias($this->basePath) . '/' . $language . '/' . $this->catalog;
if ($this->useMoFile) {
$messageFile .= self::MO_FILE_EXT;
Expand Down
4 changes: 4 additions & 0 deletions framework/i18n/PhpMessageSource.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
namespace yii\i18n;

use Yii;
use yii\base\InvalidArgumentException;

/**
* PhpMessageSource represents a message source that stores translated messages in PHP scripts.
Expand Down Expand Up @@ -132,6 +133,9 @@ protected function loadFallbackMessages($category, $fallbackLanguage, $messages,
*/
protected function getMessageFilePath($category, $language)
{
if (!empty($language) && !preg_match('/^[a-z_-]+$/i', $language)) {
samdark marked this conversation as resolved.
Show resolved Hide resolved
throw new InvalidArgumentException(sprintf('Invalid language code: "%s".', $language));
}
$messageFile = Yii::getAlias($this->basePath) . "/$language/";
if (isset($this->fileMap[$category])) {
$messageFile .= $this->fileMap[$category];
Expand Down